Content Discovery


# Fuzzing Wordlists

# Fuzzing and Content Discovery


# Fuzz non-printable characters in any user input
# Could result in regex bypass, account takeover...
0x00, 0x2F, 0x3A, 0x40, 0x5B, 0x60, 0x7B, 0xFF
%00, %2F, %3A, %40, %5B, %60, %7B, %FF

JS extraction

# Extract endpoint from JS files (
ruby extract.rb

# Check for broken links and domain takeover
# For twitter, TwitterBFTD is great
$ blc -rof --filter-level 3
$ blc -rfoi --exclude --exclude --filter-level 3


$ python3 -u -f -e php,xml,txt -t 10 -w wordpress.fuzz.txt